[Koha-bugs] [Bug 28420] Allow login via AzureAD OpenID-Connect

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28420

--- Comment #8 from David Cook <dcook at prosentient.com.au> ---
(In reply to mark.jaroski from comment #7)
> I think as long as we're doing pure authentication the only part of OAuth2
> we'd want to implement is the straight OpenID-Connect flow which goes like
> this:
> 
> 1. Fetch the IDP metadata
> 2. Send the user to the IDP to fetch their OpenID JWT
> 3. Validate the JWT against the prefetched metadata
> 
> There's no reason AFAIK to continually fetch the metadata, so that can be
> done asynchronously with some kind of scheduled task like a cron job.

Personally, I hate cronjobs. They're a nightmare to manage if you have a lot of
instances to manage or even try to scale up one instance. In this case, the
metadata is available as JSON, so I'd say fetch it once, and then stick it in a
cache.

> I guess the only reason to implement any other OAuth2 flow would be to work
> with third-party APIs. I guess there might be some of that these days, but I
> have to admit not knowing enough about Koha to know what they would be.
> Maybe some kind of third-party e-book provider?

I'm not sure about Overdrive, but with EBSCO we've done SAML integrations for
OpenAthens and shared client ADFS. I imagine we'd still use the Authorization
Code Flow if we used OIDC instead though. It's such a common flow.

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.